In 2022, bank boards will pay greater attention to incorporating environmental, social, and governance (ESG) factors into their decision-making and focus on cyber and tech issues, according to the KPMG Bank Board Agendas: 2022 And the same goes for their audit committees.
Boards and audit committees often have divergent priorities. But in the current environment, there is even more of a balancing act necessary in pushing management for action on issues impacting the industry's risk environment, such as cybersecurity risks; economic challenges; a fast-changing and uncertain regulatory landscape; and attention to financial reporting and internal control risks—the number one priority of the audit committee.
Board and audit committee priorities converge on three key areas:
The board's fiduciary role remains oversight, and the audit committees' core oversight responsibility lies in financial reporting and related internal controls. Effective engagement in strategy discussions, which investors expect, increasingly calls for a collaborative mindset, since the current environment makes oversight and deployment especially challenging.
We anticipate that banks will need to provide detailed and measurable public information about how they are addressing and responding to climate change, DEI, cyber, and other ESG risks. Transparency on how these risks are managed is critical to investors, research and ratings firms, activists, employees, customers, and regulators.
Areas are of particular importance include:
"By disclosing their approach to financial inclusion and capacity building, commercial banks can provide investors with decision-useful information for assessing banks' ability to ensure long-term, sustainable value creation."
Board Responsibilities: The board should challenge management to identify material ESG matters, define meaningful metrics, develop a control framework to gather data for reporting, and obtain assurance over the completeness and accuracy of disclosures.
After determining the ESG issues that are material to the bank, the board should assess which of these issues are of strategic significance. It should then ask questions like:
Audit Committee Responsibilities: The audit committee should encourage management to reassess the scope and quality of the company's sustainability/ESG disclosures, particularly those used by a company's investors.
As investors and regulators increasingly pressure commercial banks to incorporate ESG risks, banks that fail to do so could face decreasing returns and value for shareholders.
The effects of the pandemic, rising cyberattacks and ransomware demands, and the increasing reliance of banks on technology make cybersecurity crucial. Companies that are unable to address these risks could face diminishing revenue and consumer confidence.
Board Responsibilities: Boards should insist on a data governance framework that makes clear how and what data is being collected, stored, managed, and used, and who makes decisions regarding these issues. They should also clarify which business leaders are responsible for data governance and reassess how the board assigns and coordinates oversight responsibility for cybersecurity and data governance frameworks.
Audit Committee Responsibilities: Audit committees' key focus should be on internal control over financial reporting and probing control deficiencies, especially as they relate to whether those controls have kept pace with the changing risk profile. Importantly, the SEC is likely to address cybersecurity governance. As former SEC Commissioner Elad Roisman recently said,
“Given the increasing and inevitable reliance of advisers on technology in their businesses, it is time that the Commission bring more clarity to this issue in cases where there may be confusion about whether to notify the Commission and investors in the event of a cybersecurity breach.”
This aligns to earlier guidance from the SEC, which states:
"Crucial to a public company's ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business."
Accelerating digital transformations present important opportunities for banks. As audit committees monitor and help guide finance's progress in this area, banks would do well to think about these questions:
There will likely be a need for boards and audit committees to establish governance and perform oversight on how to engage in digital assets. Before making the jump into this growing market, boards of banks, like all companies considering direct investments in digital assets, should evaluate how their corporate governance, accounting procedures, and internal controls will need to be updated to support successful investment strategies. A solid foundation in these areas will translate into a smoother process and help companies manage the risks and rewards that come with digital assets.
The rapidly changing financial and regulatory landscape presents complex challenges for commercial banks. But by aligning their efforts, CFOs and audit and compliance committee chairs can drive growth and value for investors and the capital markets as well as instill trust through transparency. Their work will receive close attention in 2022.